Cyber crime is possibly the greatest threat the modern, interconnected world faces. As the challenges in this space increase, organisations are seeking new methods to overcome these.
The modern world we live in today is one that is a distributed, interconnected and disrupted environment. What this essentially means is that businesses can no longer really define where the organisation begins and where it ends.
Christo Boshoff, a cyber security executive at LawTrust, points out that virtually all enterprises today are electronically linked to third-party workers, outsourcers, service providers and contractors, to name a few, and anyone of these could be a cyber security threat.
“The boundaries of the modern organisation are vague because most businesses are more digital than bricks and mortar anymore,” he told delegates at a recent risk management seminar, sponsored by governance, risk and compliance (GRC) specialist Intdev Internet Technologies, along with Unisa’s Department of Finance, Risk Management & Banking and the Institute of Risk Management SA.
“Cyber crime falls within the ‘risk’ category of GRC, and is something that is beginning to get ahead of the attempts to defend against it, with many organisations being breached without their knowledge. There are three cases from the US we have studied, where millions of customer records were put at risk by long-term breaches.”
“The American Medical Certification Association (AMCA), which holds 25 million patient records, took eight months to detect a breach. Marriott Hotels, with 500 million records, took four years to find their breach, while medical insurer Dominion National – with nearly three million patients – took nine years to discover they’d been breached. The number of potentially compromised records, coupled with the extreme length of time taken for discovery, are indicative of the fact that we are losing the cyber crime war.”
Perhaps, suggests Boshoff, the time has come to reimplement the basics. He believes there may be too many decision-makers in big corporates who have outsourced their decision-making powers to third parties. The problem, he says, with outsourcing security to the point where one expects – from a security perspective – to be told what they need, when they need it and why they need it, is that when such control is handed over to external parties that don’t eat, sleep and breathe the business, it simply creates additional layers of complexity.
“Things are already complex enough, considering we are more interconnected than ever before – the average US citizen, for example, owns up to eight devices – and yet even with the information age in full swing, we don’t seem to have a proper handle on the security issue yet.
“In this interconnected world, it is not unreasonable for a people to expect 24/7/365 availability of a platform, but this instils a fear of downtime in the IT department, often causing them to hold off on patches, upgrades and configuration changes until a swathe of these can be done at once. While this reduces the organisation’s downtime, it also significantly increases the window in which an attack can take place.”
In addition, Boshoff continues, some of most potent forms of ransomware available are now being offered in cut-price bundle deals on the dark Web. This, he says, ups the ante for security personnel, because some of this ransomware was previously only used by the most highly sophisticated criminals – now it is essentially available to anyone with $750.
“While security is obviously not the only risk concern an organisation has to manage, it is a massive one, particularly as the attack landscape today is a minefield, with the number of cyber attacks increasing in size and scope. Moreover, criminals are no longer only attacking the perimeter, but are conducting attacks across the entire landscape.
“Too many organisations still spend an inordinate amount of time and effort defending their perimeter and internal systems, when the fact is, quite often, the bad guys target your business through the open Internet.”
He points to an example outlined by another speaker, where a large retailer was compromised through a third-party heating and air-conditioning vendor. The appliance was connected to the corporate network to allow for the monitoring of temperatures within the building, and it was through this back door that the compromising attack came.
“With so many new attack vectors, some of which are not entirely within the control of the business, we can no longer wait for attacks to come to us. Today, those companies successfully avoiding attacks are the ones investing in surveillance tools that can show security experts a hacker’s view of the organisation’s environment. Having this knowledge makes a huge difference, as it it affords the business the chance to allocate its human, technology and security resources more effectively.”
The other recommendation he makes is for organisations to consider adopting the NIST Cyber-Security Framework. This, he explains, consists of standards, guidelines and best practices for managing cyber security related risk.
“The Cyber-Security Framework promotes the protection and resilience of critical infrastructure through a programme that enables users to identify, protect, detect, respond to and recover from threats,” states Boshoff.
“One way or another, adopting a new approach to cyber security is more vital than ever. After all, it is clear that cyber crime is becoming increasingly threatening to individuals, businesses and enterprises, and something significant needs to change if we are to get ahead of the criminals – because, as it stands, what chance do we really have against the cyber criminals if it can take even multibillion-dollar corporates years to detect attackers?”
Share